Enforcement of South Africa’s Protection of Personal Information Act (POPIA) begins in July and businesses are rushing to make sure they comply in time. Nicole Gabryk, ahead of her appearance at PrivSec Global next month, explains the key planks of the legislation and how the act differs from GDPR.
As the digital world continues to evolve at quick pace, and the worldwide tendency towards modernising personal data protection strengthens, many parts of the world have faced struggles and obstacles in implementing sufficient privacy legislation.
Industries and companies in South Africa have been aware of its data protection law, Protection of Personal Information Act (POPIA) for a prolonged period of time, with the Act being first promulgated in 2013, but placed on the backburner for a number of years.
Nicole Gabryk, Executive at law firm ENSafrica and speaker at PrivSec Global next month, talks to GRC World Forums about the recent developments in the legislation, and some of the stark differences between South Africa’s POPIA, and the European Union’ General Data Protecion Regulation (GDPR), and what this means for adequacy in the region.
Enacted at the end of June of 2020, the law was subject to a 12-month grace period. For the past 10 months, companies have been preparing to get compliant with various processing obligations and conditions of the Act before it goes into effect on July 1st.
The Act applies to all South African companies, including SMEs and small organisations that process personal information within South Africa and, companies or entities that sit outside of South Africa, but process personal information within South Africa either directly or through third parties.
“It’s imperative that companies that require prior authorization do that while in advance of 1 July”
Gabryk explains the most recent development in the legislation deals with the Information Officer, as it’s known under POPIA. All companies in South Africa or companies that fall under the parameters of the Act, are required to appoint an Information Officer, she says.
After some “teething issues” with the opening of the registration portal of Information Officers, the recent guidance has stated that the portal successfully opened on May 1st and all Information Officers, along with deputies in certain capacities, must be registered with the portal by June 30th.
The guidance provides information on who the Information Officer needs to be and states the role can be delegated to another representative within an organisation.
“The second recent development,” Gabryk explains, “is that guidance notes were issued in relation to certain types of prior authorizations that companies may need.”
“In particular, any time where unique identifiers are utilised by responsible parties for processing information, and where that is intended to wash against different databases, you need to apply for prior authorization from the regulator before you’re able to do that,” she adds.
“And that has a knock-on effect,” Gabryk says.
“For example, credit reporting industries where they utilise different databases to check certain data points against each other. It can have an effect for direct marketing provisions that can have an effect for forensic investigations. And there’s a general prohibition on doing any of this processing unless you’ve applied for the prior authorization. And so it’s imperative that companies that require prior authorization do that while in advance of July 1st.
Gabryk explains that as POPIA is based on the GDPR’s predecessor, the EU Directive, it lacks some of the more recent amendments and updates that appear in the GDPR.
One of the most fundamental differences between POPIA and the GDPR is that the defitinion of “data subject” under the South African law, extends beyond natural persons to juristic or corporate entities. In other words, “corporate entity information is treated as personal information,” Gabryk says.
When asked what this means for a South African adequacy ruling, Gabryk says that, “Even if there are adequacy decisions in terms of adequate laws, there are no other adequate laws that give protection to juristic entities, so there’s a bit of a gap.”
“With natural person data, subject information, we can rely on various other jurisdictions that have GDPR or similar type of legislation. But with juristic person entity information, we have to look at a different exception for processing information or transferring an item South Africa,” she says.
No liability for operators
One of the most substantial differences between POPIA and the GDPR is that POPIA does not place any obligations or liabilities on what is termed “operator” in South Africa and “data processor” in the EU.
“POPIA provides a mechanism for strict liability or vicarious liability to fall on the shoulders of the responsible party for the actions of its employees, or operators or third parties,” she says. It provides access to the courts through intellectual remedy for claims against that responsible party, irrespective of harm of negligence or intent on the part of that responsible party.”
However, under the GDPR, “the liability of processes is catered for,” Gabryk says offering the case of Morrison’s Supermarket in the UK as an example of the difference.
When a Morrison’s employee illegally downloaded payroll information onto a file share website the UK court decided there wasn’t liability that attached to the employer through the conduct of that employee. “
She said: ”Under the South African law, at least, it’s important that liabilities are regulated in contractual terms because there is no ramification or liability otherwise on operators.”
More onerous than GDPR?
The final difference between POPIA and the GDPR, Gabryk predicts will be quite fundamental from the volumes of data on breach reporting.
Under POPIA, she says, “There is no test of harm or reasonable prospect of harm to data subjects in triggering any data breach reporting obligation. So, the test is merely whether or not there has been an unauthorised access or acquisition of personal information by an unauthorised person. In that instance, it triggers the mandatory reporting obligations both to the information regulator as well as to affect the data subjects.”
“The fundamental difference is the process of enforcement”
Breaking this down, Gabryk says what they mean is that “simple breaches, which potentially have already been rectified and pose no harm to data subjects, which ordinarily wouldn’t be reportable under GDPR, are not reportable under under this African law.”
Furthermore, the Act lacks a strict timeline for reporting a breach, unlike the stated 72 hours under the GDPR, POPIA requires breaches to be reported “as soon as reasonable possible”.
“The fundamental difference is the process of enforcement. In particular, the Personal Information Act requires that an enforcement notice is issued prior to any penalty being issued, and it’s only through non-compliance with an enforcement notice that penalties are ultimately then issued by the Information Regulator,” Gabryk explains.
To summarise, Gabryk explains that in many areas, POPIA is a lot stricter than the GDPR, and in some ways “it’s weaker in that it does not provide liabilities to operators, which it arguably should. In other ways, it’s more onerous in that there are penalties and aggravated damages that can be found against the party, even when they have taken measures to prevent harm.”
Nicole Gabryk and her panellists discuss Regulatory Developments: POPIA and the Transition from Non-Regulation at 9am at PrivSec Global on June 23